Tuesday, December 24, 2013

Are You a "Target"?

   By now, most of you have probably heard about the Target credit card information breach.  This is very big here in Minneapolis, home of Target.  All the details aren't out yet but it appears that credit card information for brick-and-mortar stores between Friday Nov. 27 ("Black Friday") and Sunday Dec. 15.  Here are some articles covering the story.  Here's Target's response and an FAQ.

   I'd like to talk a bit about next steps.  If you've been the victim of a data breach... what next?

   First... for consumers.  Target is a retail company and the direct victims of the breach are those of us who shopped at a Target store during the dates in question.  Consumers have two concerns here: credit card fraud and identity fraud. (I don't like the term "identity theft" even though it is commonly used.  No one can steal your identity... you still have it.  They can improperly discover, and misuse, the details... a.k.a. fraud.)

Tuesday, December 17, 2013

f2f Still Rules

   It's definitely a digital world.  And with all the instant electronic communication methods available, it's easy to forget about good old-fashioned face-to-face.

   Many work places have gone to open seating, without cubes or offices, to promote collaboration.  There are "team spaces" and other kinds of open areas in which people can quickly get together to solve problems.

   I've been thinking about this topic for a couple reasons.  First, I've been talking with internal groups about Internet Safety for Families.  This is a great topic both for general information and for Security Awareness in the workplace.  One item we often discuss is communication methods.  Teens and young adults (as well as many high-tech workers) do a disproportional amount of their communication electronically.  Sometimes that works and sometimes it doesn't.

Tuesday, December 10, 2013

Password Problems Again

   So here we go again... more problems with breached passwords.  But this time there is a different wrinkle.

   By now, most of you have probably heard about the recent discovery of hackers getting around 2 million userid's and passwords to online services like Facebook, Gmail, Yahoo, LinkedIn and Twitter.  Notable on the list of sites is ADP, the payroll processor.

   It's "just" 2 million sets of ID's and passwords.  That's not really big news these days when the new record of over 152 million stolen passwords was recently set by the Adobe breach.  But there is a difference here.  For most of the big password breaches, the service provider's website or password store is hacked.  Then the encrypted password file or database is downloaded.  The attackers can take their time analyzing the encrypted data to come up with userid's and passwords.  This work is made easier because so many sites use poorly implemented encryption.  And some sites use no encryption at all.

   But that's not what happened here.

   This time the passwords were stolen from the users of the sites.  That's you and me (well... hopefully not you or me!).

Tuesday, December 3, 2013

Is Your "Friend", Your Friend?

   An interesting topic came up the other day.  The question was whether to accept random social media
requests.  Does your "friend" need to be your friend?

   Your answer to that question might vary based on the social network and how you use that social network.

   There's also an important Security Awareness angle here.  Social networks can be a vector for malicious links, phishing attempts, malware and scams.  These malicious techniques often work better when the link/attachment/request comes from a "friend", rather than via a random email or connection.